From cafe6d258c91c3814d83c0655c8c6354e3eade1c Mon Sep 17 00:00:00 2001
From: Pushkar Joglekar <pjoglekar@vmware.com>
Date: Tue, 19 Jul 2022 15:47:27 -0700
Subject: [PATCH] Fetch and Render CVE JSON feed

- Pull JSON blob from queried issues
- Use layout output formats + templates to generate HTML table and JSON blob
- Add localized strings and caption for CVE feed
- Add a new page to describe details about CVE feed and how to use it
- Update existing pages and link the official CVE feed from it

Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
---
 config.toml                                   |  3 ++
 .../docs/reference/issues-security/issues.md  |  7 ++-
 .../issues-security/official-cve-feed.md      | 44 +++++++++++++++++++
 data/i18n/en/en.toml                          | 28 ++++++++++++
 layouts/_default/cve-feed.json                | 23 ++++++++++
 layouts/shortcodes/cve-feed.html              | 19 ++++++++
 6 files changed, 122 insertions(+), 2 deletions(-)
 create mode 100644 content/en/docs/reference/issues-security/official-cve-feed.md
 create mode 100644 layouts/_default/cve-feed.json
 create mode 100644 layouts/shortcodes/cve-feed.html

diff --git a/config.toml b/config.toml
index a153bdf11bbea..470be9773bfa7 100644
--- a/config.toml
+++ b/config.toml
@@ -169,6 +169,9 @@ algolia_docsearch = false
 # Enable Lunr.js offline search
 offlineSearch = false
 
+# Official CVE feed bucket URL
+cveFeedBucket = "https://storage.googleapis.com/k8s-cve-feed/official-cve-feed.json"
+
 [params.pushAssets]
 css = [
   "callouts",
diff --git a/content/en/docs/reference/issues-security/issues.md b/content/en/docs/reference/issues-security/issues.md
index 5e4ebe85c036a..3dbec5bdcc9d4 100644
--- a/content/en/docs/reference/issues-security/issues.md
+++ b/content/en/docs/reference/issues-security/issues.md
@@ -8,6 +8,9 @@ To report a security issue, please follow the [Kubernetes security disclosure pr
 
 Work on Kubernetes code and public issues are tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/).
 
-* [CVE-related issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
+* Official [list of known CVEs](/docs/reference/issues-security/official-cve-feed/)
+  (security vulnerabilities) that have been announced by the
+  [Security Response Committee](https://github.com/kubernetes/committee-security-response)
+* [CVE-related GitHub issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
 
-Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
+Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
\ No newline at end of file
diff --git a/content/en/docs/reference/issues-security/official-cve-feed.md b/content/en/docs/reference/issues-security/official-cve-feed.md
new file mode 100644
index 0000000000000..6a48924e42b12
--- /dev/null
+++ b/content/en/docs/reference/issues-security/official-cve-feed.md
@@ -0,0 +1,44 @@
+---
+title: Official CVE Feed
+weight: 25
+outputs:
+  - json
+  - html 
+layout: cve-feed
+---
+
+{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+
+This is a community maintained list of official CVEs announced by
+the Kubernetes Security Response Committee. See
+[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/)
+for more details.
+
+The Kubernetes project publishes a programmatically accessible
+[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of 
+published security issues. You can access it by executing the following command:
+
+{{< comment >}}
+`replace` is used to bypass known issue with rendering ">"
+: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template
+`layouts/_default/cve-feed.json`
+{{< /comment >}}
+
+```shell
+curl -v https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
+```
+
+{{< cve-feed >}}
+
+<!-- | CVE ID      | Issue Summary | CVE GitHub Issue URL |
+| ----------- | ----------- | --------- |
+| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741)      | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://github.com/kubernetes/kubernetes/issues/104980) |
+| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565)      | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | [#95623](https://github.com/kubernetes/kubernetes/issues/95623) | -->
+
+This feed is auto-refreshing with a noticeable but small lag (minutes to hours)
+from the time a CVE is announced to the time it is accessible in this feed.
+
+The source of truth of this feed is a set of GitHub Issues, filtered by a controlled and
+restricted label `official-cve-feed`. The raw data is stored in a Google Cloud
+Bucket which is writable only by a small number of trusted members of the
+Community.
\ No newline at end of file
diff --git a/data/i18n/en/en.toml b/data/i18n/en/en.toml
index 6c57982f9b11e..831401536c58b 100644
--- a/data/i18n/en/en.toml
+++ b/data/i18n/en/en.toml
@@ -27,6 +27,34 @@ other = "Twitter"
 [community_youtube_name]
 other = "YouTube"
 
+
+[cve_id]
+other = "CVE ID"
+
+[cve_issue_url]
+other = "CVE GitHub Issue URL"
+
+[cve_json_external_url]
+other = "external_url"
+
+[cve_json_id]
+other = "id"
+
+[cve_json_summary]
+other = "summary"
+
+[cve_json_url]
+other = "url"
+
+[cve_summary]
+other = "Issue Summary"
+
+[cve_table]
+other = "Official Kubernetes CVE List"
+
+[cve_url]
+other = "CVE URL"
+
 [deprecation_title]
 other = "You are viewing documentation for Kubernetes version:"
 
diff --git a/layouts/_default/cve-feed.json b/layouts/_default/cve-feed.json
new file mode 100644
index 0000000000000..a185fde22fc77
--- /dev/null
+++ b/layouts/_default/cve-feed.json
@@ -0,0 +1,23 @@
+{
+  "version": "https://jsonfeed.org/version/1.1",
+  "title": "Auto-refreshing Official CVE Feed",
+  "home_page_url": "https://kubernetes.io",
+  "feed_url": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json",
+  "description": "Auto-refreshing official CVE feed for Kubernetes repository",
+  "authors": [
+    {
+      "name": "Kubernetes Community",
+      "url": "https://www.kubernetes.dev"
+    }
+  ],
+  "items": [
+  {{ range $i, $e := getJSON .Site.Params.cveFeedBucket }}
+    {{ if $i }}, {{ end }}
+      {
+        {{ T "cve_json_id" | jsonify }}: {{ .cve_id | jsonify }},
+        {{ T "cve_json_url" | jsonify }}: {{ .issue_url | jsonify }},
+        {{ T "cve_json_external_url" | jsonify }}: {{ .cve_url | jsonify}},
+        {{ T "cve_json_summary" | jsonify }}: {{ replace (.summary | jsonify ) "\\u003e" ">"  }}
+      }{{ end }}
+   ]
+}
diff --git a/layouts/shortcodes/cve-feed.html b/layouts/shortcodes/cve-feed.html
new file mode 100644
index 0000000000000..1c04efab7ea8b
--- /dev/null
+++ b/layouts/shortcodes/cve-feed.html
@@ -0,0 +1,19 @@
+<table class="security-cves">
+  <caption>{{ T "cve_table" }}</caption>
+  <thead>
+  <tr>
+    <th>{{ T "cve_id" }}</th>
+    <th>{{ T "cve_summary"}}</th>
+    <th>{{ T "cve_issue_url" }}</th>
+  </tr>
+  </thead>
+  <tbody>
+  {{ range $issues := getJSON .Site.Params.cveFeedBucket }}
+  <tr>
+    <td><a href="{{ .cve_url }}">{{ .cve_id | htmlEscape | safeHTML }}</a></td>
+    <td>{{ .summary | htmlEscape | safeHTML }}</td>
+    <td><a href="{{ .issue_url }}">#{{ .number }}</a></td>
+  </tr>
+  {{ end }}
+  </tbody>
+</table>
\ No newline at end of file